1
00:00:00,770 --> 00:00:01,680
So let's get started.

2
00:00:02,330 --> 00:00:10,250
Now we want to handle a post from the login form, so let's duplicate this this route and change it

3
00:00:10,250 --> 00:00:16,430
to a post method and let's change that to post show login, which doesn't exist yet, but we'll create

4
00:00:16,430 --> 00:00:19,610
it in a moment, back over to our handlers.

5
00:00:19,610 --> 00:00:21,490
And I want to create a new function.

6
00:00:22,790 --> 00:00:25,820
And this is going to be of the receiver type repository.

7
00:00:27,200 --> 00:00:30,650
And I want to handle a name post show login.

8
00:00:30,980 --> 00:00:32,990
And of course, it takes a response writer

9
00:00:36,410 --> 00:00:41,690
and a pointer to an issue request.

10
00:00:42,260 --> 00:00:45,650
OK, so what am I going to do in this?

11
00:00:45,680 --> 00:00:47,950
Well, there's only two things coming in from the form.

12
00:00:47,960 --> 00:00:50,710
We have something called username and something called password.

13
00:00:50,720 --> 00:00:54,290
Well, we know we need to handle the CSF protection, so let's go fix that.

14
00:00:54,890 --> 00:00:58,010
Let's go look at how we did that on our Make Reservation page.

15
00:00:58,550 --> 00:01:00,350
We had this line right here.

16
00:01:00,380 --> 00:01:07,520
So let's copy that and go back over to our login page and paste that in just after the opening form

17
00:01:07,520 --> 00:01:07,880
tag.

18
00:01:08,750 --> 00:01:10,340
And let's change that form.

19
00:01:10,340 --> 00:01:16,620
To have method equals post and action equals slash user slash log in there.

20
00:01:16,640 --> 00:01:18,500
Now we should be able to post to this form.

21
00:01:18,860 --> 00:01:20,900
Let's verify that actually works first.

22
00:01:21,620 --> 00:01:30,920
So I'm going to go back to my code and I will find my handlers wherever they're they're there and we'll

23
00:01:30,920 --> 00:01:38,090
just do this log print line works and let's stop our application.

24
00:01:39,230 --> 00:01:40,280
Run the application.

25
00:01:42,130 --> 00:01:46,920
And we'll go over to our login page, which I still have here, but I'll reload the page so it gets

26
00:01:46,920 --> 00:01:52,960
to a token and put some values in here, me out here, dossie test and submit.

27
00:01:53,200 --> 00:01:56,410
And what should happen in my log file is I should see.

28
00:01:56,410 --> 00:01:57,010
No thank you.

29
00:01:57,010 --> 00:01:58,210
I don't want to save that password.

30
00:01:58,210 --> 00:01:58,780
It works.

31
00:01:58,780 --> 00:02:00,400
OK, so they're connected the way they should be.

32
00:02:00,940 --> 00:02:01,360
Perfect.

33
00:02:02,200 --> 00:02:09,880
Now we want to make sure that our authentication procedures use absolutely the best possible security

34
00:02:09,880 --> 00:02:10,860
that's available to us.

35
00:02:11,110 --> 00:02:16,690
And one of the things that I'm going to do right away before I do anything else on this form is I'm

36
00:02:16,690 --> 00:02:19,780
actually going to call a method on our session.

37
00:02:21,370 --> 00:02:31,030
Amde abdon session right there, and I'm going to call a function called Renou Tolkan, and what Renu

38
00:02:31,030 --> 00:02:38,050
Tolkan does is it actually prevents something known as such session fixation, attack every session

39
00:02:38,050 --> 00:02:40,410
that's stored anywhere in an application.

40
00:02:40,420 --> 00:02:43,480
A Web application has a certain Tolkan associated with it.

41
00:02:43,730 --> 00:02:52,470
And when we're doing a log in or log out, it is always good practice to call the Renou token method.

42
00:02:52,480 --> 00:02:53,350
So I'm going to do that.

43
00:02:53,560 --> 00:02:58,480
And all it requires is an argument for the context which I can get right from my response writer.

44
00:02:59,580 --> 00:03:05,820
There, so that's just good practice any time you're doing a log in or log out, make sure you renew

45
00:03:05,820 --> 00:03:10,560
the token and the next thing I'm going to do is pass the form which I've done many times before.

46
00:03:11,280 --> 00:03:14,040
Errors equal are not persse form.

47
00:03:16,770 --> 00:03:23,970
And if there's an error, if error is not equal to nil, then I will just for right now, I'll just

48
00:03:23,970 --> 00:03:25,290
log print line error.

49
00:03:26,100 --> 00:03:30,630
OK, so we've renewed our token for the session.

50
00:03:30,630 --> 00:03:31,850
We've passed our form.

51
00:03:31,860 --> 00:03:33,180
What is next?

52
00:03:33,210 --> 00:03:37,200
Well, let's make sure that we can actually authenticate.

53
00:03:37,620 --> 00:03:41,630
Now, I should be putting a check in here for actually, let's do that right now.

54
00:03:41,640 --> 00:03:53,070
Let's see how we can make sure that that our form has the necessary parameters so forms new and it will

55
00:03:53,070 --> 00:03:54,350
come from our post form.

56
00:03:55,950 --> 00:04:03,270
So now form required and the fields that are required are email and password.

57
00:04:08,340 --> 00:04:15,450
If not formed up valid, then take them back and I'll do the take back in a little bit right now I just

58
00:04:15,450 --> 00:04:17,490
want to get going so we'll to do

59
00:04:20,280 --> 00:04:22,080
take user back to page.

60
00:04:22,290 --> 00:04:23,610
OK, so what?

61
00:04:23,610 --> 00:04:24,190
Do that in a minute.

62
00:04:24,870 --> 00:04:26,570
Otherwise, what I want to do.

63
00:04:26,580 --> 00:04:32,010
Well, I want to try to authenticate this user and I can do that by calling the routine the function

64
00:04:32,010 --> 00:04:34,760
that we just built and added to our repository.

65
00:04:35,040 --> 00:04:40,710
So we're going to call the authenticate method and authenticate if you recur, if you'll recall, returns

66
00:04:40,710 --> 00:04:41,370
three things.

67
00:04:41,370 --> 00:04:46,620
The ID, the hash, which I'm going to ignore right now, the password hash from the database and potentially

68
00:04:46,620 --> 00:04:47,100
an error.

69
00:04:47,550 --> 00:04:55,590
So I'll get that by calling M dot db dot authenticate, which is here somewhere.

70
00:04:55,620 --> 00:04:56,580
There it is authenticate.

71
00:04:57,090 --> 00:05:02,140
And what I'm going to be giving them are the user in the email and the password, which I can get right

72
00:05:02,160 --> 00:05:05,040
from my form from from my posted form request.

73
00:05:06,030 --> 00:05:07,290
So let's get those right here.

74
00:05:07,290 --> 00:05:18,570
First up, just to create variables ver email string and var password string and then we'll actually

75
00:05:18,570 --> 00:05:19,980
populate that information.

76
00:05:21,420 --> 00:05:29,130
Email is this is equal to our form doget email and the same thing for password.

77
00:05:34,750 --> 00:05:38,830
Actually, let's make this a little cleaner, let's do that all in one step and get rid of those variable

78
00:05:38,830 --> 00:05:42,370
declarations, just less code to maintain.

79
00:05:43,090 --> 00:05:43,420
All right.

80
00:05:43,420 --> 00:05:49,180
So I have email and password, and I will pass these as the parameters to my authenticate method, email

81
00:05:49,540 --> 00:05:50,320
and password.

82
00:05:51,340 --> 00:05:55,660
And I check for an error if error is not equal to nil.

83
00:05:55,900 --> 00:06:01,150
And for right now, I'll just log print line error and we'll keep going.

84
00:06:02,020 --> 00:06:10,150
So now if this happens, if they actually sufficiently successfully authenticate, then we can actually

85
00:06:10,150 --> 00:06:10,860
log them in.

86
00:06:11,110 --> 00:06:12,070
And how do we do that?

87
00:06:12,100 --> 00:06:16,540
Well, we're going to do that by storing that ID we just created in the session.

88
00:06:16,730 --> 00:06:28,330
OK, so we will just go m dot app dot session put and it requires the context are context and it requires

89
00:06:28,330 --> 00:06:34,110
a key user ID and it requires a value and the value is going to be ID.

90
00:06:35,350 --> 00:06:36,370
So they're actually logged in.

91
00:06:36,490 --> 00:06:38,020
Now think about what's happening here.

92
00:06:38,890 --> 00:06:41,530
First of all, I know I have to go back and do the form validation.

93
00:06:41,530 --> 00:06:42,640
I'll do that in a little while.

94
00:06:42,640 --> 00:06:47,740
That's why I put the two do there to remind me to do it and my ID helpfully highlights it just to draw

95
00:06:47,740 --> 00:06:48,510
it to my attention.

96
00:06:49,510 --> 00:06:50,850
Then we try to authenticate them.

97
00:06:50,860 --> 00:06:54,850
And right now I'm saying if there's an error of any sort, just log it and keep going.

98
00:06:54,850 --> 00:06:56,330
And that's probably not good.

99
00:06:56,440 --> 00:06:57,570
I do want to log there.

100
00:06:57,580 --> 00:07:02,140
I do want to have a copy of whatever went wrong, but I actually want to do something else.

101
00:07:02,140 --> 00:07:04,860
And what I want to do is take them back to the login form.

102
00:07:05,260 --> 00:07:12,250
So what I can do for right now is say M dot app, dot session, dot put and I'll put our dot contacts.

103
00:07:12,250 --> 00:07:22,150
We need that and I'll put my error and I'll just put invalid login credentials

104
00:07:24,880 --> 00:07:26,200
and then I want to redirect them.

105
00:07:26,200 --> 00:07:33,250
So htp dot redirect which requires a response writer by request.

106
00:07:33,250 --> 00:07:43,270
Are you url user login to take them back to that form and the code I'll put htp dot status c other and

107
00:07:43,270 --> 00:07:48,250
then I want to return because I don't want to do anything else after this point, otherwise it works.

108
00:07:48,370 --> 00:07:50,170
And at that point what do I want to do.

109
00:07:50,170 --> 00:07:55,120
I want to actually take them somewhere else, maybe to the homepage with a success message.

110
00:07:55,120 --> 00:08:04,000
So I'll just copy and paste that and make this flash and put it in a message of logged in successfully

111
00:08:06,640 --> 00:08:10,420
and take them to the homepage and that should do it.

112
00:08:10,750 --> 00:08:11,240
All right.

113
00:08:11,650 --> 00:08:17,230
So right now, of course, we can't test this because we have nothing in the database to authenticate

114
00:08:17,230 --> 00:08:17,650
against.

115
00:08:17,830 --> 00:08:20,320
But this is the basic logic we want to use.

116
00:08:20,590 --> 00:08:27,010
We want to ensure that when they post the login form, that we pass the necessary information, that

117
00:08:27,010 --> 00:08:29,260
we get our email and password from the request.

118
00:08:29,290 --> 00:08:31,870
Then we'll do our some validation, which will add in the next lecture.

119
00:08:32,260 --> 00:08:33,580
Then we authenticate them.

120
00:08:33,580 --> 00:08:38,590
If they don't authenticate, we print the error to the log just so we have it put in session an error

121
00:08:38,590 --> 00:08:41,350
message in the session and take them back to the login screen.

122
00:08:41,590 --> 00:08:46,240
Otherwise we put their user ID in the session.

123
00:08:46,390 --> 00:08:49,830
We store a success message in the session and we take them back to the homepage.

124
00:08:50,080 --> 00:08:54,250
So this looks like it's getting much closer to what we want it to do.

125
00:08:54,670 --> 00:08:55,930
So let's give this a comment.

126
00:08:57,130 --> 00:09:01,660
Handles blogging the user in and save it.

127
00:09:01,960 --> 00:09:07,600
And in the next lecture, we'll add the necessary validation for right here and we'll see what we can

128
00:09:07,600 --> 00:09:10,780
do with that user ID that we've stuck in the session.

129
00:09:10,810 --> 00:09:16,000
What we're going to have to do is write some middleware and the middleware on every request will determine

130
00:09:16,000 --> 00:09:18,670
whether or not the user is logged in.